JP2023133530A - User equipment and method performed by user equipment - Google Patents

Abstract

To separate user plane communication and control plane communication.SOLUTION: A first base station receives a first message regarding a security key update from a second base station when a PDCP count is about to wrap around. The first base station uses the first base station's security key to derive the second base station's updated security key while UE is connected to the first base station and the second base station. The first base station transmits to the second base station a message for delivering the updated security key from which an updated user plane security key can be derived to protect user plane traffic between the UE and the second base station.SELECTED DRAWING: Figure 12

Description

The present invention relates to mobile communication devices and mobile communication networks, and in particular, but not exclusively, to mobile communication devices and mobile communication networks that operate in accordance with the Third Generation Partnership Project (3GPP) standards or equivalents or derivatives thereof. Regarding networks. The present invention relates in particular, but not exclusively, to the so-called Long Term Evolution (LTE)/Evolved LTE (LTE-A) of the UTRAN (referred to as the Evolved Universal Terrestrial Radio Access Network (E-UTRAN)). Relevant for further development.

As part of the 3GPP standardization process, it was decided that downlink operation for system bandwidths above 20 MHz would be based on aggregation of multiple component carriers at different frequencies. Such carrier aggregation can be used to support operation in both systems with a continuous spectrum and systems without a continuous spectrum (e.g., discontinuous systems can operate at 800 MHz, 2 GHz, and 3 .5GHz component carrier). While legacy mobile devices may only be able to communicate using a single, backwards-compatible component carrier, more advanced multi-carrier capable terminals can use multiple component carriers simultaneously. .

As mobile (cellular) communications technology develops, it is possible to increase the number of cells in relatively small geographic areas by having smaller cells (e.g., "pico" cells or "femto" cells) coexisting with larger ("macro") cells. It has been proposed to provide improved communications and to provide improved communication capabilities in localized geographic areas covered by small cells. These small cells may be provided on the same carrier as the macrocell, or may be provided on a different (eg, higher frequency) dedicated carrier.

More recently, user data for a particular user device (also referred to as "user equipment" or "UE"), such as a mobile phone or other mobile communication device, can be transmitted for that user device via a different cell. It has been proposed to allow control data to be communicated to the cells to be communicated. Specifically, the user plane (U-plane) and control plane (C-plane) for a particular user device are configured such that U-plane data is communicated via small cells and C-plane data is communicated via macro cells. It has been proposed that the cell can be divided into a small cell and a macro cell so that communication can be carried out separately.

The proposed small cell does not provide traditional cell-specific signals and/or channels such as carrier reference signals, master information/system information broadcasts, primary/secondary synchronization signals, etc., and is therefore effectively a "pseudo" cell or " Phantom" cell.

Theoretically, this proposed C-plane/U-plane split benefits from better connectivity typically provided by macro cells for critical control signaling and higher , and/or optimization with the benefits of higher throughput and more flexible, energy-efficient, and cost-effective communications provided by small cells using wider frequency bands.

However, the C-plane/U-plane split proposal presents several challenges that need to be addressed if such a proposal is to be actually implemented in global communication networks.

One such challenge is to ensure that user devices can accurately encrypt/decrypt user data and control data while ensuring that different base stations are responsible for U-plane signaling and C-plane signaling, respectively. The goal is to provide appropriate communications security. This can undesirably significantly complicate the signaling between the core network, base stations, and user devices.

Furthermore, to ensure adequate security, it is advantageous to be able to regenerate the security keys used for encryption and integrity protection at any time ("key update" or "key refresh"). Such dynamic rekeying can be the result of an explicit key update procedure or an implicit key refresh procedure. To ensure that the security parameters used for encryption and integrity protection remain unique, for example, the Packet Data Convergence Protocol (PDCP) counter (“PDCP COUNT”) used as encryption input is A key refresh is typically required when a limit value is reached and "wraps around" or "rolls over" back to its initial value. Key update/key refresh avoids the risk that a previously used PDCP COUNT is reused in combination with the same security key as input for encryption, thereby allowing the previous security parameters to be periodically reused. Avoid being taken advantage of.

However, since the PDCP count is kept in the U-plane, while the control signaling required for rekeying occurs in the C-plane, it currently does not work when the U-plane and C-plane are split. , it is not possible to implement such a dynamic key refresh.

The present invention aims to provide a base station, user equipment and related methods that overcome or at least alleviate the above problems.

According to an aspect of the invention, a base station of a communication system, means for providing user plane communications for user equipment (UE) connecting to said base station and a further base station; means for receiving a first security key from the further base station configured to provide control plane signaling to; using the first security key to transmit user plane traffic according to a predetermined encryption algorithm; means for deriving a security key K _UPenc used for the user plane traffic; and means for using the security key K _UPenc used for the user plane traffic in user plane communications provided to the UE. is provided.

According to a further aspect of the invention, a method performed by a base station of a communication system, the method comprising providing user plane communications for user equipment (UE) connecting to said base station and a further base station. receiving a first security key from the further base station configured to provide control plane signaling to the UE; deriving a security key K _UPenc used for user plane traffic by an algorithm; and using the security key K _UPenc used for the user plane traffic in user plane communications provided to the UE. A method is provided that includes; and;

According to a further aspect of the invention, a user equipment (UE) configured to communicate with a plurality of base stations, comprising: means for receiving control plane signaling from a first base station; means for performing user plane communication between a base station and the UE; means for deriving a security key for the second base station from a security key for the first base station; means for deriving, using a security key, a security key K _UPenc used for user plane traffic according to a predetermined encryption algorithm; and means for using a security key K _UPenc used for user plane traffic.

According to a further aspect of the invention, a method performed by a user equipment (UE) configured to communicate with a plurality of base stations, the method comprising: receiving control plane signaling from a first base station; performing user plane communication between a second base station and the UE; deriving a security key for the second base station from a security key for the first base station; deriving a security key K _UPenc used for user plane traffic according to a predetermined encryption algorithm using a security key of a second base station; A method is provided for plane communication including: using a security key K _UPenc used for said user plane traffic.

Aspects of the invention provide a method for programming a programmable processor to carry out a method as described in the aspects and possibilities set out above or in the claims and/or in the claims. such as a computer-readable storage medium having instructions stored thereon operable to program a computer suitably configured to provide an apparatus as claimed in any claim within the scope of This extends to computer program products.

Each feature disclosed in the specification (including the claims) and/or illustrated in the drawings may be used independently of (or in combination with) any other feature disclosed and/or illustrated. ) may be incorporated into the present invention. In particular, without limitation, the features of any of the claims dependent on a particular independent claim may be incorporated into that independent claim in any combination or individually.

Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings, in which: FIG.

FIG. 1 is a schematic diagram showing a communication system. 2 is a diagram illustrating an encryption/integrity key hierarchy used in the communication system of FIG. 1. FIG. 2 is a diagram illustrating a key derivation scheme used by a base station in the communication system of FIG. 1; FIG. 2 is a diagram illustrating a key derivation scheme used by a mobile communication device within the communication system of FIG. 1; FIG. 2 is a simplified block diagram of a mobile communication device for the communication system of FIG. 1; FIG. 2 is a simplified block diagram of a "macro" base station for the communication system of FIG. 1; FIG. FIG. 2 is a simplified block diagram of a "Pico" base station for the communication system of FIG. 1; 2 is a simplified block diagram of a mobility management entity for the communication system of FIG. 1; FIG. 2 is a simplified timing diagram illustrating the operation of the communication system of FIG. 1 when performing a first security procedure; FIG. 2 is a simplified timing diagram illustrating the operation of the communication system of FIG. 1 when performing a second security procedure; FIG. 2 is a simplified timing diagram illustrating the operation of the communication system of FIG. 1 when performing a third security procedure; FIG. 2 is a simplified timing diagram illustrating the operation of the communication system of FIG. 1 when performing a fourth security procedure; FIG. 2 is a simplified timing diagram illustrating the operation of the communication system of FIG. 1 in performing an authentication and key agreement procedure; FIG.

Overview FIG. 1 schematically shows a mobile (cellular) communication system 1, in which a user of any one of a plurality of mobile communication devices 3-1, 3-2, 3-3 may communicate with other users via one or more of the base stations 5-1, 5-2, 5-3 and the core network 110. In the system shown in FIG. 1, each illustrated base station 5 is an Evolved Universal Terrestrial Radio Access Network (E-UTRAN) base station (i.e., an "eNB") capable of operating in a multicarrier environment. .

Core network 110 comprises multiple functional/logical entities, including a mobility management entity (MME) 112, a home subscriber server (HSS) 114, and an authentication center (AuC) 116.

MME 112 is a key control node for the LTE access network. The MME is responsible for authenticating users (by interacting with HSS 114), among other things. Non-access stratum (NAS) signaling terminates at MME 112. Furthermore, the MME 112 is also an in-network termination point for encryption/integrity protection for NAS signaling, and performs security key management.

HSS 114 includes a central database containing user-related information and subscription-related information. HSS 114 functionality includes functions such as mobility management, call and session establishment assistance, user authentication and access authorization. HSS 114 includes the functionality of AuC 116 in this exemplary embodiment (although it can also be provided separately). The AuC 116 functionality provides authentication of each mobile communications device 3 (more specifically, its associated subscriber identity module (SIM) card) attempting to connect to the core network 110 (e.g., if the mobile communications device 3 is powered on). ). Upon successful authentication, HSS 114 manages the SIM and services as described above. As detailed further below, an encryption key is also generated by the AuC 116 function and is used to encrypt all wireless communications (voice, SMS, etc.) between the mobile communication device 3 and the core network 110. used later.

In FIG. 1, the base station labeled 5-1 operates a geographically relatively large "macro" cell 10-1 with an associated component carrier having a first frequency (F1), a so-called Consists of "macro" base stations. The other base stations 5-2, 5-3 shown in FIG. 1 each consist of a so-called "pico" base station operating a respective "pico" cell 10-2, 10-3. Each picocell 10-2, 10-3 operates on a respective component carrier having a corresponding frequency band (F2). The power used to provide picocells 10-2, 10-3 is lower compared to the power used for macrocell 10-1, and therefore picocells 10-2, 10-3 are lower than macrocell 10-1. It's small.

The macro base station 5-1 transmits control signaling 13 in a control plane ("C-plane") to mobile communication devices, such as mobile communication device 3-1, located within the macro cell 10-1 operated by the macro base station. Give -1. The macro base station 5-1 also communicates with mobile communication devices, such as the mobile communication device 3-1, located within the macro cell operated by the base station, in the user plane (“U-plane”). Data 11-1 is also communicated.

However, in the case of pico cells 10-2 and 10-3, U-plane and C-plane are provided by macro base station 5-1 and pico base station 5-2 or It will be divided between 5-3. Specifically, the macro base station 5-1 supports mobile communication devices 3-2 and 3-3 located in pico cells 10-2 and 10-3 operated by pico base stations 5-2 and 5-3. control signaling 13-2, 13-3 in the control plane ("C-plane"). In contrast, each pico base station 5-2, 5-3 supports a respective mobile communication device 3-2, 3 within a pico cell 10-2, 10-3 operated by the pico base station 5-2, 5-3. -3, and communicates user data 11-2 and 11-3 in the U-plane.

Among various control signaling, C-plane signaling includes, for example, signaling for controlling resources used for user plane communication, signaling for controlling establishment and release of user plane communication bearers, and signaling for controlling user plane communication between cells. Includes signaling related to U-plane communications, such as signaling for controlling mobility (eg, handover) of plane communications.

More specifically, C-plane signaling includes broadcasting of system information, paging, establishing, maintaining and releasing an RRC connection between the mobile communication device 3 and the network, security functions including key management, and point-to-point resources for establishment, configuration, retention and release of inter-radio bearers; mobility functions (handover and cell reselection); quality of service (QoS) management functions; measurement reporting and control of reporting; and resources for U-plane communication. control signaling, including radio resource control (RRC) signaling, for allocation;

The security information required for encrypting/decrypting (encrypting/decoding) C-plane data for each pico cell 10-2 and 10-3 (and for integrity protection in the C-plane) is The signal is given to the macro base station 5-1. The macro base station 5-1 uses security information to encrypt/decode control signaling for each mobile communication device 3-2, 3-3 located in either the pico cell 10-2, 10-3 (encryption/decryption). Deriving a security key suitable for (encrypting/decrypting)

The security information required to encrypt/decrypt (encrypt/decrypt) U-plane data for each picocell 10-2 and 10-3 (and for any integrity protection in the U-plane) is , and are given to the pico base stations 5-2 and 5-3 that operate the pico cells 10-2 and 10-3. Each pico base station 5-2, 5-3 is connected to each mobile communication device 3-2, 3-3 located within the pico cell 10-2, 10-3 operated by the base station 5-2, 5-3. Find a security key suitable for encrypting/decrypting (encrypting/decoding) user data.

Each mobile communication device 3 is also provided with the security information required to encrypt/decrypt the C-plane and U-plane data (as well as for any integrity protection). . Each mobile communication device 3 determines from the security information a security key suitable for encrypting/decrypting user data and control data for that device.

Each mobile communication device 3-2, 3-3 communicating via a pico cell 10-2, 10-3 receives an indication that the C-plane and U-plane are split between the macro base station and the pico base station. is also given. This ensures that the mobile communication devices 3-2, 3-3 know which base station 5 is responsible for the C-plane and which base station 5 is responsible for the U-plane. It is beneficial because it helps to Therefore, even if the base station handling U-plane communication is different from the base station providing C-plane communication, mobile communication devices 3-2 and 3-3 can encrypt/encrypt their respective U-plane data. The key for decrypting (encrypting/decrypting) (and for any integrity protection in the U-plane) can be derived.

Security Key Hierarchy and Key Derivation FIGS. 2 to 4 show the security key hierarchy and key derivation in the mobile communication system of FIG. 1.

Specifically, FIG. 2 shows the encryption/integrity key hierarchy used in the mobile communication system of FIG. 3 shows a key derivation scheme used by a base station in the communication system of FIG. 1, and FIG. 4 shows a key derivation scheme used by a mobile communication device in the communication system of FIG.

Figures 2-4 are based on similar diagrams from 3GPP Technical Standard (TS) 33.401v12.6.0, and as those skilled in the art will appreciate, that standard Contains further details of the security mechanisms used in the system.

With reference to FIGS. 2 to 4, the mobile communication system 1 uses several security key parameters, which, for purposes of illustration, can be considered to be arranged in a hierarchy, in which: Keys at lower levels in the hierarchy can be derived from keys higher in the hierarchy using an appropriate key derivation function (KDF) (possibly in combination with other parameters). In this exemplary embodiment, the KDF used to derive the security key is a 3GPP TS 33.220v11.4.1.4.1.1.1.1.1.1.1.1 with inputs as described in 3GPP TS 33.401v12.6.0 (Appendix A). 0 (Appendix B).

As seen in FIGS. 2-4, the security information used in the mobile communication system 1 includes the following security key parameters:
General key parameters:
- K is a permanent key stored in the mobile communication device 3 and on the USIM or UICC in the AuC 116;
- CK and IK (“encryption key” and “integrity key” respectively) are a pair of keys derived within the AuC 116 and on the USIM/UICC during the AKA procedure. CK, IK depend on whether the keys are used in an evolved packet system security context or a legacy security context, as described in subclause 6.1.2 of 3GPP TS 33.401. be treated differently.
- K _ASME is an intermediate key derived within the HSS 114 and within the mobile communication device 3 from the CK and IK (as well as the serving network identity (SNid)).
- The K _eNB is a key derived by the mobile communication device 3 and the MME 112 (or possibly by the mobile communication device 3 and the target eNB during handover) from the K _ASME .
Key for NAS traffic:
- K _NASint is the key used to protect NAS traffic using a specific integrity algorithm. This key is specified in Section A. of 3GPP TS 33.401. is derived by the mobile communication device 3 and the MME 112 from K _ASME and an identifier for the integrity algorithm using a KDF with inputs as specified in 7.
- _KNASenc is the key used to protect NAS traffic using a specific encryption algorithm. This key is specified in Section A. of 3GPP TS 33.401. is derived by the mobile communication device 3 and the MME 112 from K _ASME and the identifier of the encryption algorithm using a KDF with inputs as specified in 7.
Key for user plane traffic:
- K _UPenc is a key used to protect U-plane traffic using a specific encryption algorithm. This key is specified in Section A. of 3GPP TS 33.401. is derived by the mobile communication device 3 and the macro base station 5-1 from the K _eNB and an identifier for the encryption algorithm using a KDF with inputs as specified in 7. However, if the U-plane/C-plane is split between a pico base station and a macro base station as described above, K _UPenc will not be able to protect the U-plane traffic using specific encryption algorithms. (described in more detail later).
- K _UPint is the key used to protect the U-plane traffic between the Relay Node (RN) and the Donor eNB (DeNB) using a specific integrity algorithm. This key is specified in Section A. of 3GPP TS 33.401. The RN and DeNB are derived from K _eNB and the identifier for the integrity algorithm using the KDF with inputs as specified in 7.
Keys for control plane (RRC) traffic:
- K _RRCint is the key used to protect Radio Resource Control (RRC) traffic using a specific integrity algorithm. K _RRCint is defined in Section A. of 3GPP TS 33.401. is derived by the mobile communication device 3 and the macro base station 5-1 from the _KeNB and the identifier for the integrity algorithm using a KDF with inputs as specified in 7.
- K _RRCenc is the key used to protect RRC traffic using a specific encryption algorithm. K _RRCenc is defined in Section A. of 3GPP TS 33.401. is derived by the mobile communication device 3 and the macro base station 5-1 from the _KeNB and the identifier for the encryption algorithm using a KDF with inputs as specified in 7.
Intermediate key:
- NH (“Next Hop”) is defined in Section A. of 3GPP TS 33.401. Section A.7.2.8 of 3GPP TS 33.401 to provide forward security (e.g. during handover) as described in 3GPP TS 33.401. The key is derived by the mobile communication device 3 and the MME 112 using the KDF with inputs as specified in 4.
- K _eNB ^* is defined in Clause A. of 3GPP TS 33.401. derived by the mobile communication device 3 and the source base station from the NH or the currently active _KeNB for use in deriving the key during handover/context change using a KDF with inputs as specified in 5. This is the key to Specifically, upon handover, _KeNB ^* is transferred from the source base station to the target base station. The target base station directly uses the received _KeNB ^* as the _KeNB that will be used if the mobile communication device 3 is handed over. As will be explained in more detail below, in one example method this parameter is advantageously reused when the C-plane/U-plane is split.

Several other notable parameters are also used in the security architecture of the mobile telecommunications system 1. These parameters include:
- AMF, a so-called authenticated management field in the database located in the AuC 116 and on the SIM card of the mobile communication device 3; The AMF is shared in advance between the mobile communication device 3 and the AuC 116 and is used in calculating certain security parameters (eg, MAC and XMAC, which will be explained later).
- OP, which is a so-called operator variant algorithm configuration field in the database in the AuC 116 and on the SIM card of the mobile communication device 3;
- SQN, which is a sequence number that is incremented each time the network attempts to authenticate the mobile communication device 3;
- RAND, which is a random number for use in key generation and authentication.
- AK, which is a so-called anonymous key generated in AuC116.
- XRES, the so-called "expected response" generated in AuC116.
- RES is a response parameter equivalent to XRES, but generated by the mobile communication device 3 to send to the MME 112 for comparison with the XRES for authentication purposes.
- MAC is a message authentication code generated in the AuC116.
- XMAC is the expected MAC value generated at the mobile communication device 3 to authenticate the message against the received MAC.
- AUTN is a so-called authentication token generated in the AnC 116.

When MME 112 receives an attach request from mobile communication device 3, MME 112 sends an authentication data request to AuC 116/HSS 114. After deriving RAND, XRES, CK, IK and AUTN, AuC 116 combines those parameters to generate a so-called authentication vector (AV=RAND| be done. The MME 112 may then retrieve individual parameters from the AV to send to the mobile communication device during the authentication and key generation process as described in more detail below.

In order to encrypt/decrypt the user plane data, as its input K _UPenc : information identifying the radio bearer used for communication ("BEARER") and a single bit indicator of the direction of communication ("DIRECTION"). ”) and the required key stream length (“LENGTH”) for the mobile communication device 3 and the pico base station 5-2, 5-3, which is bearer specific but time and direction dependent. A cryptographic function is used having a 32-bit value of an incremental counter ("COUNT") corresponding to a 32-bit PDCP COUNT maintained in the PDCP layer of the PDCP layer.

Mobile Communication Device FIG. 5 is a block diagram showing the main components of the mobile communication device 3 shown in FIG. 1. Each mobile communication device 3 consists of a mobile (or "cell") telephone capable of operating in a multi-carrier environment. Mobile communication device 3 comprises a transceiver circuit 510 operable to transmit and receive signals to and from base station 5 via at least one antenna 512 . The mobile communication device 3 includes a user interface 514 (eg, touch screen, keypad, microphone, speaker, etc.) through which a user can interact with the device.

The mobile communication device includes a subscriber identity module (SIM) 530 in the form of a universal SIM (USIM) operating on a universal integrated circuit card (UICC). SIM 530 includes a USIM/UICC security module 532 for obtaining and storing a permanent key "K" 534-1, which, in operation, is used to generate other security parameters used for communication security. used for. The USIM/UICC security module 532 also uses K and a “random” value (e.g., the value of RAND provided by the AuC 116 via the MME 112) to create a cryptographic key (CK) and an integrity key (IK). It is operable to derive other security parameters 534-2. SIM 530 has an identification 536 in the form of an International Mobile Subscriber Identity (IMSI).

Operation of transceiver circuit 510 is controlled by controller 516 according to software stored in memory 518.

The software includes an operating system 520, a communications control module 522, and a security management module 525, among others.

The communication control module 522 is configured to manage communication with the macro and/or base station 5 on the associated component carrier. Communication control module 522 is configured to manage NAS communications (indirectly via a base station) with MME 112. Communication control module 522 includes a U-plane module 523 for handling user data and a C-plane module 524 for handling control signaling such as radio resource control messages.

The security management module 525 is configured to manage communications security, including execution of authentication procedures, key and associated security parameter generation and utilization, authentication and key agreement (AKA), to the extent executed in the mobile communication device 3. be done. Security management module 525 may handle retrieval/generation of parameters 526 suitable for use in authentication/key generation procedures. These parameters include UICC/USIM parameters 526-1 retrieved from SIM 530 (e.g., parameters 534-2 such as CK and IK derived by SIM 530) and parameters 526-2 received from other sources ( parameters such as AUTN and RAND received from MME 112 in non-access stratum (NAS) _signaling ) and parameters 526-3 that may be derived at the _mobile communication device (e.g., _K , K _eNB , K _eNB ^* , NH, K _UPenc , K _RRCint , K _RRCenc , etc.). Security management module 525 also includes an AKA module 528 for managing AKA procedures to the extent that they are executed by mobile communication device 3 .

Macro Base Station FIG. 6 is a block diagram showing the main components of the macro base station 5-1 shown in FIG. 1. The macro base station 5-1 consists of an E-UTRAN multi-carrier capable base station comprising a transceiver circuit 610, the transceiver circuit transmits signals to the mobile communication device 3 via at least one antenna 612, and the transceiver circuit transmits signals to the mobile communication device 3 via at least one antenna 612. and is operable to receive signals from. The base station 5-1 also transmits signals with the MME 112 of the core network 110 via the MME (S1) interface 614 and with other base stations 5 via the eNB (X2) interface 616. and is operable to receive.

Operation of transceiver circuit 610 is controlled by controller 616 according to software stored in memory 618.

The software includes an operating system 620, a communications control module 622, and a security management module 625, among others.

Communication control module 622 is configured to manage communications between macro base station 5-1 and mobile communication devices 3 operating within the geographic area covered by macro cell 10-1. Furthermore, the communication control module 622 manages S1-AP signaling between macro base station 5-1 and MME 112 and X2-AP signaling between macro base station 5-1 and other base stations. It is composed of

Communication control module 622 includes a U-plane module 623 for handling user data for mobile communication device 3-1 communicating via macrocell 10-1. The communication control module 622 also provides a communication control module 622 for transmitting user data to the mobile communication device 301 communicating via the macrocell 10-1 and to the mobile communication device communicating via the respective picocells 10-2, 10-3. It also includes a C-plane module 624 for generating control signaling, such as radio resource control (RRC) messages, for 3-2, 3-3.

The security management module 625 manages communication security including execution of authentication procedures, generation and use of keys and related security parameters, and authentication and key agreement (AKA) procedures within the scope of execution in the macro base station 5-1. It is configured as follows.

Security management module 625 may handle receiving/generating parameters 626 suitable for use in authentication/key generation procedures. These parameters 626 include parameters 626-1 received from other sources (eg, _KeNB or NH received from MME 112, or _KeNB ^* received from the source base station during handover). Additionally, parameters 626 may be derived at macro base station 5-1 during normal operation (e.g., K _UPenc , K _RRCint , K _RRCenc ) or may be derived at macro base station 5-1 during handover. (eg, K _eNB ^* when operating as a source node or K _eNB (=K _eNB ^* ) when operating as a target node, etc.). The security management module 625 also includes an AKA module 628 for managing AKA procedures to the extent that they are executed by the macro base station 5-1.

Pico Base Station FIG. 7 is a block diagram showing the main components of the pico base stations 5-2 and 5-3 shown in FIG. 1. The pico base stations 5-2, 5-3 consist of E-UTRAN multi-carrier capable base stations comprising a transceiver circuit 710, the transceiver circuit transmitting signals to the mobile communication device 3 via at least one antenna 712. , is operable to receive signals from the mobile communication device 3. Additionally, the pico base stations 5-2 and 5-3 communicate with the MME 112 of the core network 110 via the MME (S1) interface 714 and with other base stations via the eNB (X2) interface 716. The device is operable to transmit and receive signals.

Operation of transceiver circuit 710 is controlled by controller 716 according to software stored in memory 718.

The software includes an operating system 720, a communications control module 722, and a security management module 725, among others.

The communication control module 722 is configured to manage communication between the pico base stations 5-2, 5-3 and the mobile communication devices 3-2, 3-3 communicating via the pico cells 10-2, 10-3. It is composed of The communication control module 722 also controls S1-AP signaling between the pico base stations 5-2, 5-3 and the MME 112, and X2 communication between the pico base stations 5-2, 5-3 and other base stations. - configured to manage AP signaling.

Communication control module 722 includes a U-plane module 723 for handling user data for mobile communication devices 3-2, 3-3 communicating via picocells 10-2, 10-3.

The security management module 725 performs communications including execution of authentication procedures, generation and use of keys and related security parameters, and authentication and key agreement (AKA) procedures within the scope of execution in the pico base stations 5-2 and 5-3. Configured to manage security.

Security management module 725 may handle receiving/generating parameters 726 suitable for use in authentication/key generation procedures. These parameters 726 include parameters 726-1 (eg, in this embodiment, K _eNB ) received from other sources. Parameters 726 also include parameters 726-2 (eg, K _UPenc ) that may be derived at pico base stations 5-2, 5-3. The security management module 725 also includes an AKA module 728 for managing AKA procedures to the extent executed by the pico base stations 5-2, 5-3.

MME
FIG. 8 is a block diagram illustrating the main components of the mobility management entity (MME) 112 shown in FIG. MME 112 includes transceiver circuitry 810 that is operable to transmit signals to and receive signals from other network devices (such as an HSS) via an associated network entity interface 812. The transceiver circuit 810 is also operable to transmit signals to and receive signals from the base station 5 via the eNB (S1) interface 816, and the signals are transmitted to and from the base station 5. S1-AP signaling for the mobile communication device 3 and NAS signaling for the mobile communication device 3 that is transparent to the base station.

Operation of transceiver circuit 810 is controlled by controller 816 according to software stored in memory 818.

The software includes an operating system 820, a communications control module 822, and a security management module 825, among others.

Communication control module 822 is configured to manage NAS signaling between MME 112 and mobile communication device 3 and S1-AP signaling between MME 112 and base station 5.

Security management module 825 is configured to manage communication security, including execution of authentication procedures, key and associated security parameter generation and utilization, authentication and key agreement (AKA) procedures, to the extent executed in MME 112. .

Security management module 825 may handle receiving/generating parameters 826 suitable for use in authentication/key generation procedures. These parameters 826 include parameters 826-1 received from other sources (eg, CK, IK, AUTN, K _ASME , RAND, XRES retrieved from AV received from HSS 114/AuC 116, etc.). These parameters 826 also include parameters 826-2 (eg, K _NASint , K _NASenc , K _eNB , NH, etc.) that may be derived at MME 112 . Security management module 825 also includes an AKA module 828 for managing AKA procedures to the extent that they are executed by MME 112 .

OPERATIONAL OVERVIEW - SECURITY PARAMETERS PROVISION FIGS. 9-13 show simplified timing diagrams each illustrating the operation of the communication system of FIG. 1 in performing respective variants of the security procedure. As will be understood by those skilled in the art, the timing diagram only shows signaling specifically related to security. Other signaling will typically occur, but has been removed from the simplified timing diagram for clarity reasons.

As seen in FIGS. 9-13, each of the illustrated security procedures includes appropriate security parameters (in particular, _KUPenc 's appropriate Each uses a different mechanism to ensure that the values (values that apply) are used consistently.

Although the different security procedures shown in Figures 9-13 are shown separately, important features of the security procedures may be combined where appropriate, or any of the alternative implementations within the system being deployed. It will be appreciated that it can be offered as an option.

MME-Based K _eNB Provisioning FIG. 9 shows a simplified timing diagram illustrating the operation of the telecommunications system of FIG. 1 in performing a first security procedure, in response to signaling from the MME 112. Appropriate security parameters, specifically, appropriate values of K _UPenc , are generated at the pico base stations 5-2 and 5-3.

At the beginning of the illustrated security procedure, the mobile communication device 3 desiring to initiate communication in the pico cells 5-1, 5-2 receives information identifying the SIM card 530 of the mobile communication device 3 (e.g., " a non-access stratum (NAS) message requesting an attachment (e.g., a "NAS Attach Request" message) containing a "International Mobile Subscriber Identity (IMSI)") to the MME 112 (transparently via the macro base station 5-1); Send.

MME 112 responds to the request at S912 by sending a message to HSS 114 requesting authentication and including information identifying SIM card 530 (eg, an “authentication data request” message). The AuC function 116 of the HSS 114 derives RAND, XRES, CK, IK, and AUTN and combines them to create an authentication vector (AV=RAND| and transmits the generated AV to MME 112 (eg, in an "authentication data response" message) at S916.

The MME 112 retrieves IK, CK, )Send.

The mobile communication device 3 uses the received AUTN to authenticate the network at S922, and uses the stored permanent security key "K" and the received AUTN and RAND parameters (and any other parameters, e.g. AMF for XMAC determination) and respond by deriving appropriate security-related parameters (IK, CK, RES, etc.). Assuming that the authentication is successful, the mobile communication device 3 sends the calculated value of RES to the MME 112 (eg, in a "NAS Authentication Response" message) at S924.

The MME 112 checks the received RES value against the XRES, resets the downlink NAS count, and derives the values of K _ASME , K _eNB , K _NASint , K _NASenc at S926. Thereafter, the MME 112 communicates with the mobile communication device 3 at S928 by sending a NAS security mode command message informing the mobile communication device 3 of the respective algorithms to use for integrity protection and encryption (decryption). Initiate NAS signaling security between

The mobile communication device 3 derives the values of K _ASME , K _eNB , K _NASint , and K _NASenc in S930, and then, in S932, transmits a response message notifying the MME 112 that the NAS signaling security initialization is completed. respond by

Thereafter, the method sends substantially identical S1 application (A1-AP) messages (e.g., "S1-AP Proceed by initiating security context configuration at both the pico base stations 5-2, 5-3 and the macro base station 5-1 by sending an "Initial Context Configuration Request" message). Each S1-AP message contains the derived value of the _KeNB and details of the security features for the mobile communication device 3.

Thereafter, the pico base stations 5-2, 5-3 derive the security parameters (eg, K _UPenc ) required for U-plane encryption/decryption from the received _KeNB at S938. Similarly, the macro base station 5-1 derives security parameters (eg, K _RRCint , K _RRCenc ) required for C-plane encryption/decryption from the received _KeNB at S940.

In S942, assuming that the security context setting in the pico base stations 5-2, 5-3 is successful, the pico base stations 5-2, 5-3 send an appropriate S1-AP message (for example, "S1-AP initial context This is confirmed with the MME 112 in the "Configuration Response" message).

Thereafter, the macro base station 5-1 starts RRC (and user plane) security context configuration in the mobile communication device 3 using RRC signaling (e.g., "RRC security mode command" message) in S944, and uses RRC signaling information identifying the algorithms used for integrity protection and/or encryption, and information indicating that the U-plane and C-plane are to be split (e.g., dedicated information elements (IEs), modified new IEs, or reuse of existing IEs).

In S946, the mobile communication device 3 derives the values of K _RRCint and K _RRCenc for use with control signaling from the macro base station 5-1 from the pre-calculated value of K _eNB . -1 by initializing an RRC security context for communicating with it. The mobile communication device 3 also derives the value of K _UPenc for use with user plane signaling between the pico base stations 5-2 and 5-3 from _{the KeNB} . Initialize the U-plane security context for communication with 5-3.

Assuming that the security context configuration is successful, the mobile communication device 3 confirms this at S932 by sending an appropriate response message (e.g., an "RRC security mode complete" message) to the macro base station 5-1 at S950. do.

In S952, the macro base station 5-1 confirms the successful security context setting to the MME 112 in an appropriate S1-AP message (eg, "S1-AP initial context setting request" message).

Upon successful initialization of the various security contexts (NAS and AS) in the various devices, control signaling connections and user signaling connections may be set up at S954, and the mobile communication device 3 determines that the control plane signaling is connected to the macro base station. 5-1 (S956) and U-plane signaling is provided via the pico base stations 5-2, 5-3 (S958).

Therefore, advantageously, the method provides an efficient way to provide adequate communication security where different base stations are responsible for U-plane signaling and C-plane signaling, respectively. A user device may maintain a security context suitable for both U-plane and C-plane, allowing the user device to accurately encrypt/decrypt user data and control data; In addition, it becomes possible to understand the security parameters (keys) used in different base stations.

This approach is fundamental in that it eliminates the need for base station changes in terms of base station signaling (on X2 or possibly new interfaces) and avoids the associated changes to the X2-AP complexity. It has advantages over other methods described in the specification. However, other methods described herein have the advantage that repetition of S1 signaling is avoided and therefore S1 signaling overhead is reduced.

Base Station Based K _eNB Provision FIG. 10 shows the appropriate security parameters, in particular the _appropriate 2 shows a simplified timing diagram illustrating the operation of the communication system of FIG. 1 during execution of a second security procedure in which a value is generated; FIG.

At the start of the security procedure shown in FIG. , an "International Mobile Subscriber Identity (IMSI)") to MME 112 (transparently via macro base station 5-1) requesting an attachment (e.g., "NAS Attach Request" message). to) send.

MME 112 responds to the request at S1012 by sending a message to HSS 114 that requests authentication and includes information that identifies SIM card 530 (eg, an "authentication data request" message). The AuC function 116 of the HSS 114 derives RAND, XRES, CK, IK, and AUTN, and combines them to create an authentication vector (AV=RAND| and transmits the generated AV to MME 112 (eg, in an "authentication data response" message) at S1016.

The MME 112 retrieves IK, CK, XRES, RAND, and AUTN from the AV in S1018, and transmits the AUTN and RAND parameters to the mobile communication device 3 using NAS signaling (e.g., in a "NAS authentication request" message) in S1020. .

The mobile communication device 3 at S1022 authenticates the network using the received AUTN and the stored permanent security key "K" and the received AUTN and RAND parameters (and optionally It responds by deriving appropriate security-related parameters (IK, CK, RES, etc.) using other parameters (e.g., AMF for XMAC determination). Assuming that the authentication is successful, the mobile communication device 3 sends the calculated value of RES to the MME 112 (eg, in a "NAS Authentication Response" message) at S1024.

The MME 112 checks the received RES value against the XRES, resets the downlink NAS count, and derives the values of K _ASME , K _eNB , K _NASint , K _NASenc at S1026. Thereafter, the MME 112 communicates between the MME 112 and the mobile communication device 3 at S1028 by sending a NAS security mode command message informing the mobile communication device 3 of the respective algorithms to use for integrity protection and encryption (decryption). Initiate NAS signaling security between

The mobile communication device 3 derives the values of K _ASME , K _eNB , K _NASint , and K _NASenc in S1030, and then, in S1032, transmits a response message notifying the MME 112 that the NAS signaling security initialization is completed. respond by

Thereafter, the method transmits an S1 application (A1-AP) message (e.g., "S1-AP initial context configuration request" message) to the macro base station 5-1 in S1034. Proceed by initiating security context configuration. The S1-AP message contains the derived value of the _KeNB and details of the security features for the mobile communication device 3.

In S1036, the macro base station 5-1 transmits an X2 application (X2-AP) message (for example, a new "X2-AP context setting" message) to the pico base stations 5-2 and 5-3. Security context setting is started at the pico base stations 5-2 and 5-3. The X2-AP message contains the derived value of the _KeNB and details of the security features for the mobile communication device 3.

Thereafter, in S1038, the pico base _stations 5-2 and 5-3 receive the security parameters required for U-plane encryption/decryption (for example, K _UPenc ) is derived. Similarly, the macro base station 5-1 derives security parameters (for example, K _RRCint , K _RRCenc ) required for C-plane encryption/decryption from _{the KeNB} received from the MME 112 in S1040. do.

In S1042, assuming that the security context setting in the pico base stations 5-2 and 5-3 is successful, the pico base stations 5-2 and 5-3 send an appropriate X2-AP message (for example, "X2-AP context setting"). This is confirmed to the macro base station 5-1 in the "Response" message).

Thereafter, the macro base station 5-1 starts RRC (and user plane) security context configuration in the mobile communication device 3 using RRC signaling (for example, "RRC security mode command" message) in S1044, and uses RRC signaling information identifying the algorithms used for integrity protection and/or encryption, and information indicating that the U-plane and C-plane are to be split (e.g., dedicated information elements (IEs), modified new IEs, or reuse of existing IEs).

In S1046, the mobile communication device 3 derives the values of K _RRCint and K _RRCenc for use with control signaling from the macro base station 5-1 from the pre-calculated value of K _eNB . -1 by initializing an RRC security context for communicating with it. The mobile communication device 3 also derives the value of K _UPenc for use with user plane signaling between the pico base stations 5-2 and 5-3 from _{the KeNB} . Initialize the U-plane security context for communication with 5-3.

Assuming that the security context configuration is successful, the mobile communication device 3 confirms this at S1032 by sending an appropriate response message (e.g., an "RRC security mode complete" message) to the macro base station 5-1 at S1050. confirm.

In S1052, the macro base station 5-1 confirms the successful security context setting to the MME 112 in an appropriate S1-AP message (eg, "S1-AP initial context setting request" message).

Upon successful initialization of the various security contexts (NAS and AS) in the various devices, control signaling connections and user signaling connections may be configured at S1054, where the mobile communication device determines that the control plane signaling is connected to the macro base station 5. -1 (S1056) and U-plane signaling is provided via the pico base stations 5-2, 5-3 (S1058).

Therefore, advantageously, the method provides another efficient way to provide adequate communication security where different base stations are responsible for U-plane signaling and C-plane signaling, respectively. A user device can maintain a security context suitable for both U-plane and C-plane, allowing the user device to accurately encrypt/decrypt user data and control data, and You will be able to understand the security parameters (keys) used at base stations.

Informing the mobile communication device that the C-plane/U-plane will be split in this way requires the mobile communication device to derive user plane security parameters (K _UPenc ) in order to communicate with the picocell. provides an efficient way to ensure that you have the information needed to ensure that

This approach has an advantage over the first method described herein in that repetition of S1 signaling is avoided and therefore S1 signaling overhead is reduced. However, the first method eliminates the need for base station changes in terms of base station signaling (on X2 or possibly on new interfaces) and avoids the complexity of the X2-AP associated with the changes. has advantages.

Base Station Based K _UPenc Provided FIG. 11 shows a simplified timing diagram illustrating the operation of the communication system of FIG. 1 in performing a third security procedure, in response to signaling from the MME 112. Appropriate security parameters, specifically, appropriate values for K _UPenc , are generated in the macro base station 5-1 and transferred to the pico base stations 5-2 and 5-3 via the X2 interface.

At the start of the security procedure shown in FIG. , an "International Mobile Subscriber Identity (IMSI)") to MME 112 (transparently via macro base station 5-1) requesting an attachment (e.g., "NAS Attach Request" message). to) send.

MME 112 responds to the request at S1112 by sending a message to HSS 114 that requests authentication and includes information identifying SIM card 530 (eg, an "Authentication Data Request" message). The AuC function 116 of the HSS 114 derives RAND, XRES, CK, IK, and AUTN, and combines them to create an authentication vector (AV=RAND| and transmits the generated AV to MME 112 (eg, in an “authentication data response” message) at S1116.

The MME 112 retrieves IK, CK, XRES, RAND, and AUTN from the AV in S1118, and sends the AUTN and RAND parameters to the mobile communication device 3 using NAS signaling (for example, in a "NAS authentication request" message) in S1120. do.

The mobile communication device 3 at S1122 authenticates the network using the received AUTN and the stored permanent security key "K" and the received AUTN and RAND parameters (and optionally (e.g., AMF for XMAC determination) and by deriving appropriate security-related parameters (IK, CK, RES, etc.). Assuming that the authentication is successful, the mobile communication device 3 sends the calculated value of RES to the MME 112 (eg, in a "NAS Authentication Response" message) at S1124.

The MME 112 checks the received RES value against the XRES, resets the downlink NAS count, and derives the values of K _ASME , K _eNB , K _NASint , K _NASenc at S1126. Thereafter, the MME 112 communicates with the mobile communication device 3 at S1128 by sending a NAS security mode command message informing the mobile communication device 3 of the respective algorithms to use for integrity protection and encryption (decryption). Initiate NAS signaling security between

The mobile communication device 3 derives the values of K _ASME , K _eNB , K _NASint , and K _NASenc in S1130, and then, in S1132, transmits a response message notifying the MME 112 that the NAS signaling security initialization is completed. respond by

Thereafter, the method transmits an S1 application (A1-AP) message (e.g., "S1-AP initial context configuration request" message) to the macro base station 5-1 in S1134. Proceed by initiating security context configuration. The S1-AP message contains the derived value of the _KeNB and details of the security features for the mobile communication device 3.

In S1140, the macro base station 5-1 receives security parameters required for C-plane protection (for example, K _RRCint , K _RRCenc ) and for U-plane protection from the _KeNB received from the MME 112. Derive the required security parameters (eg, _KUPenc ).

In S1136, the macro base station 5-1 transmits an X2 application (X2-AP) message (for example, a new "X2-AP context setting" message) to the pico base stations 5-2 and 5-3. Security context setting is started at the pico base stations 5-2 and 5-3. The X2-AP message contains the derived value of K _UPenc and details of the security features for the mobile communication device 3.

When receiving K _UPenc from the macro base station 5-1, and assuming that the security context setting in the pico base stations 5-2 and 5-3 is successful, in S1142, the pico base stations 5-2 and 5-3: Confirm this to the macro base station 5-1 in an appropriate X2-AP message (eg, an "X2-AP Context Setup Response" message).

Thereafter, the macro base station 5-1 starts RRC (and user plane) security context configuration in the mobile communication device 3 using RRC signaling (for example, "RRC security mode command" message) in S1144, and uses RRC signaling information identifying the algorithms used for integrity protection and/or encryption, and information indicating that the U-plane and C-plane are to be split (e.g., dedicated information elements (IEs), modified new IEs, or reuse of existing IEs).

In S1146, the mobile communication device 3 derives the values of K _RRCint and K _RRCenc for use with control signaling from the macro base station 5-1 from the pre-calculated value of K _eNB . -1 by initializing an RRC security context for communicating with it. The mobile communication device 3 also derives the value of K _UPenc for use with user plane signaling between the pico base stations 5-2 and 5-3 from _{the KeNB} . Initialize the U-plane security context for communication with 5-3.

Assuming that the security context configuration is successful, the mobile communication device 3 confirms this at S1132 by sending an appropriate response message (e.g., "RRC Security Mode Complete" message) to the macro base station 5-1 at S1150. confirm.

In S1152, the macro base station 5-1 confirms the successful security context setting to the MME 112 in an appropriate S1-AP message (eg, "S1-AP initial context setting request" message).

Upon successful initialization of the various security contexts (NAS and AS) in the various devices, control signaling connections and user signaling connections may be configured at S1154, and the mobile communication device determines that the control plane signaling (S1156) Communication may be started provided by the base station 5-1 and U-plane signaling is provided via the pico base stations 5-2, 5-3 (S1158).

Therefore, advantageously, the method provides another efficient way to provide adequate communication security where different base stations are responsible for U-plane signaling and C-plane signaling, respectively. A user device can maintain a security context suitable for both U-plane and C-plane, allowing the user device to accurately encrypt/decrypt user data and control data, and You will be able to understand the security parameters (keys) used at the base station.

Informing the mobile communication device that the C-plane/U-plane will be split in this way requires the mobile communication device to derive user plane security parameters (K _UPenc ) in order to communicate with the picocell. provides an efficient way to ensure that you have the information needed to ensure that

This approach does not require the pico base station to derive K _UPenc itself, thereby further simplifying the pico base station, which is a common desire to minimize the complexity of the pico base station. It has advantages over other methods described herein in that it takes into account the following: However, the other methods described herein are such that the value of K _UPenc (also used by the mobile phone 3) is not transmitted and can therefore be easily compromised (e.g. by "eavesdropping"). It has security advantages over this method in that there is no risk of user data security being compromised. Deriving K _UPenc is not trivial, since the other security keys need to be known to derive K _UPenc if the otherwise transferred K _eNB is compromised.

Base Station Based K _eNB ^* Provision It will be appreciated that transfer of K _eNB and K _UPenc between base stations is currently not supported under any circumstances. FIG. 12 shows a simplified timing diagram illustrating the operation of the communication system of FIG. 1 in performing a fourth security procedure, transferring parameters that are currently not supported to transfer between base stations. Instead, the security parameters (K _eNB ^* ) for which inter-base station transfer is currently supported are transferred, albeit in limited circumstances. Specifically, transfer of _KeNB ^* between base stations is currently supported during handover. This fourth security procedure therefore extends the situations in which _KeNB ^* is supported to security context configuration when the U-plane/C-plane is split.

Specifically, in response to signaling from the MME 112, K _eNB ^* is generated in the macro base station 5-1 (corresponding to during handover), and transmitted to the pico base stations 5-2 and 5-3 via the X2 interface. will be forwarded to.

At the beginning of the security procedure shown in FIG. , an "International Mobile Subscriber Identity (IMSI)") to MME 112 (transparently via macro base station 5-1) requesting an attachment (e.g., "NAS Attach Request" message). to) send.

MME 112 responds to the request at S1212 by sending a message to HSS 114 that requests authentication and includes information identifying SIM card 530 (eg, an “authentication data request” message). The AuC function 116 of the HSS 114 derives RAND, XRES, CK, IK, and AUTN, and combines them to create an authentication vector (AV=RAND| and transmits the generated AV to MME 112 (eg, in an "authentication data response" message) at S1216.

The MME 112 searches the AV for IK, CK, do.

The mobile communication device 3 at S1222 authenticates the network using the received AUTN and the stored permanent security key "K" and the received AUTN and RAND parameters (and optionally (e.g., AMF for XMAC determination) and by deriving appropriate security-related parameters (IK, CK, RES, etc.). Assuming that the authentication is successful, the mobile communication device 3 sends the calculated value of RES to the MME 112 (eg, in a "NAS Authentication Response" message) at S1224.

The MME 112 checks the received RES value against the XRES, resets the downlink NAS count, and derives the values of K _ASME , K _eNB , K _NASint , K _NASenc at S1226. Thereafter, the MME 112 communicates with the mobile communication device 3 at S1228 by sending a NAS security mode command message informing the mobile communication device 3 of the respective algorithms to use for integrity protection and encryption (decryption). Initiate NAS signaling security between

The mobile communication device 3 derives the values of K _ASME , K _eNB , K _NASint , and K _NASenc in S1230, and then, in S1232, transmits a response message notifying the MME 112 that the NAS signaling security initialization is completed. respond by

Thereafter, the method transmits an S1 application (A1-AP) message (e.g., "S1-AP initial context setting request" message) to the macro base station 5-1 in S1234. Proceed by initiating security context configuration. The S1-AP message contains the derived value of the _KeNB and details of the security features for the mobile communication device 3.

In S1236, the macro base station 5-1 transmits an X2 application (X2-AP) message (for example, a new "X2-AP context setting" message) to the pico base stations 5-2 and 5-3. Security context setting is started at the pico base stations 5-2 and 5-3. The X2-AP message includes the value of K _eNB ^* derived from the value of K _eNB (and possibly the value of NH) from the MME 112 and details of the security features for the mobile communication device 3 . The value of K _eNB ^* is derived in substantially the same way as in the handover case, but may be given a different name (e.g., K _eNB ^** ) to be distinguishable from the handover case. be.

When the pico base stations 5-2 and 5-3 receive the K _eNB ^* from the macro base station 5-1, in S1238, the pico base stations 5-2 and 5-3 set the security parameters (there may be more than one) required for U-plane encryption/decryption. ). Specifically, the pico base stations 5-2 and 5-3 derive the value of _KeNB (substantially “pico” _KeNB ) from the received _KeNB ^* , and from the derived pico _KeNB Derive the value of K _UPenc . Similarly, the macro base station 5-1 derives security parameters (e.g., K _RRCint , K _RRCenc ) required for C-plane encryption/decryption from _{the KeNB} received from the MME 112 in S1240. .

Assuming that the security context configuration in the pico base stations 5-2 and 5-3 is successful, in S1242, the pico base stations 5-2 and 5-3 send an appropriate X2-AP message (for example, "X2-AP context configuration This is confirmed to the macro base station 5-1 in the "Response" message).

Thereafter, the macro base station 5-1 starts RRC (and user plane) security context configuration in the mobile communication device 3 using RRC signaling (for example, "RRC security mode command" message) in S1244, and uses RRC signaling information identifying the algorithms used for integrity protection and/or encryption, and information indicating that the U-plane and C-plane are to be split (e.g., dedicated information elements (IEs), modified new IEs, or reuse of existing IEs).

In S1246, the mobile communication device 3 derives the values of K _RRCint and K _RRCenc for use with control signaling from the macro base station 5-1 from the pre-calculated ("macro") value of K _eNB . , responds by initializing an RRC security context for communicating with macro base station 5-1. The mobile communication device 3 is also able to find the value of K _eNB ^* and hence the correct K _UPenc for use with the user plane signaling between the pico base stations 5-2, 5-3. By deriving the value of K _eNB , the U-plane security context for communication with the pico base stations 5-2, 5-3 is initialized.

Assuming that the security context configuration is successful, the mobile communication device 3 confirms this at S1232 by sending an appropriate response message (e.g., "RRC security mode complete" message) to the macro base station 5-1 at S1250. confirm.

In S1252, the macro base station 5-1 confirms the successful security context configuration to the MME 112 in an appropriate S1-AP message (eg, "S1-AP initial context configuration request" message).

Upon successful initialization of the various security contexts (NAS and AS) in the various devices, control signaling connections and user signaling connections may be configured at S1254, where the mobile communication device determines that the control plane signaling is connected to the macro base station 5. -1 (S1256) and U-plane signaling is provided via the pico base stations 5-2, 5-3 (S1258).

Therefore, advantageously, the method provides another efficient way to provide adequate communication security where different base stations are responsible for U-plane signaling and C-plane signaling, respectively. A user device can maintain a security context suitable for both U-plane and C-plane, allowing the user device to accurately encrypt/decrypt user data and control data, and You will be able to understand the security parameters (keys) used at the base station.

Informing the mobile communication device that the C-plane/U-plane will be split in this way requires the mobile communication device to derive user plane security parameters (K _UPenc ) in order to communicate with the picocell. provides an efficient way to ensure that you have the information needed to ensure that

This approach has an advantage over other methods described herein in that it does not require the transfer of security parameters that are currently not supported for transfer between base stations. However, other methods described herein have the advantage of increased complexity to properly derive K _eNB ^* in non-handover scenarios.

Individual Authentication and Key Agreement (AKA) Procedures Figure 13 shows a simplified diagram illustrating the operation of the communication system of Figure 1 when performing further security procedures, during which appropriate security parameters are A single AKA procedure for macro base station 5-1 (e.g., 9 to 11 respectively), separate AKA procedures for macro base station 5-1 and pico base stations 5-2, 5-3 are performed.

As shown in FIG. 13, the procedure involves an AS security procedure performed for communication between the macro base station 5-1 and the mobile communication device 3 at S1313. During this procedure, the mobile communication device 3, the macro base station 5-1, and the MME 112 perform communication between the macro base station 5-1 and the mobile communication device 3 in S1312-1, S1312-2, and S1312-3, respectively. - Generate and maintain its own security context for plain signaling. Generation of each security context involves deriving an appropriate macro/C-plane specific security key (eg, K _RRCint , K _RRCenc , etc. as described above).

The procedure also involves an AS security procedure performed for communication between the pico base stations 5-2, 5-3 and the mobile communication device 3 at S1314. During this procedure, the mobile communication device 3, the pico base stations 5-2, 5-3, and the MME 112 move with the pico base stations 5-2, 5-3 in S1316-1, S1316-2, and S1316-3, respectively. Generates and maintains its own security context for U-plane signaling with the communication device 3. Generation of each security context involves deriving an appropriate pico/U-plane specific security key (eg, K _UPenc , etc. as described above).

The steps S1313 and S1314 can be performed sequentially or simultaneously in any suitable order.

Therefore, as a result of the procedure in FIG. 13, it can be seen that the MME 112 and the mobile communication device 3 each maintain two ongoing security contexts. To support the existence of two ongoing security contexts, this example modifies the handover signaling (for handover from one macro+pico to another macro+pico) to allow the two security contexts to be exchanged. . For example, its signaling can be modified to allow two _KeNB ^* s to be generated and forwarded (based on each _KeNB ) and to signal different security algorithms (if different algorithms are used); Allows for signaling of other general information associated with two different security contexts.

Additionally, the RRC and NAS messages are modified appropriately to support the dual AKA procedure of FIG. For example, the RRC security mode command is modified to include information identifying the security algorithm for each AKA procedure, and the NAS security message is modified to include duplication of security parameters, as appropriate.

The mobile communication device 3 maintains two cryptographic instances (e.g. at the PDCP layer), each with its own set of security keys, one key for control plane encryption and one key for control plane encryption. is for user plane encryption.

It will be appreciated that similar procedures can be applied, if desired, to generate separate NAS contexts for the pico and macro base station AKA procedures being executed. The procedure is similar to the procedure described with reference to FIGS. 9-12, but during this procedure, the mobile communication device 3 and the MME 112 each create a NAS security context for the macro base station 5-1. , and another NAS security context for the pico base stations 5-2 and 5-3. The generation and transmission of a NAS security context may optionally include the derivation and transmission of duplicate security parameters (one copy per context).

Key Change Performing Procedures Regardless of which of the above procedures is performed, to avoid potential security issues associated with PDCP COUNT rollover, the pico base stations 5-2, 5-3: A new X2-AP message containing an information element (e.g., "K _UPenc Rekey" IE) indicating that the K _UPenc requires a change when a PDCP COUNT rollover has occurred or is about to occur. It is possible to operate to notify the macro base station 5-1 using . In response to receiving this message, the macro base station 5-1 initiates an inter-cell handover, resulting in the current pico/macro cell pair being The communication will be continued using a different _KUPenc value.

Similarly, if other security parameters such as _KeNB are dynamically changed and provided to the macro base station 5-1 by the MME 112 (according to the current procedure), when the procedure shown in FIG. 10 is implemented, The macro base station 5-1 is configured to transfer the new _KeNB to the pico base stations 5-2 and 5-3. When the procedure shown in FIG. 11 is implemented, the macro base station 5-1 is configured to forward the new K _UPenc to the pico base stations 5-2, 5-3. When the procedure shown in FIG. 12 is performed, the macro base station 5-1 is configured to forward the new K _eNB ^* to the pico base stations 5-2, 5-3. If the procedure shown in FIG. 9 is implemented, the MME 112 is configured to forward the new _KeNB to the pico base stations 5-2, 5-3 in a duplicate S1 message.

Modifications and Alternatives Detailed embodiments have been described above. As those skilled in the art will appreciate, several modifications and alternatives to the embodiments and variations described above can be implemented while still benefiting from the invention embodied herein.

In the embodiments described above, one macrocell 7 and two picocells 10 are described. Pico cells are operated using component carriers having the same frequency band (F2), and macro cells are operated using component carriers having different frequency bands (F1). In a deployed system, there may be any number of picocells, each operating on component carriers with different respective frequency bands, and potentially on the same frequency band as the macrocell. It will be appreciated that it can be operated on a component carrier that has.

In the above embodiments, the macro base station and the pico base station may have the same security functionality. However, if different security capabilities are supported, the mobile communications device is informed (e.g., in an "RRC security mode command" or other similar message) of the appropriate capabilities per base station and thereby Communication devices will now be able to use the correct algorithms.

In the above embodiments, the encryption key is transferred from the macro base station or derived by the pico base station based on security information received from either the MME or the macro base station. It will be appreciated that other parameters required for U-plane encryption/decryption may be derived as follows. A COUNT may be maintained at the PDCP level by the pico base station. The BEARER identification can be transferred from the macro base station or can be selected by the pico base station. DIRECTION can be set at either the macro base station or the pico base station. For example, proper synchronization can be provided between the macro and pico base stations to ensure that the correct bearer identification is known at both the macro and pico base stations. If both base stations have the information and ability to determine a particular parameter (e.g. "DIRECTION"), only one base station will make the decision and this will be communicated to the other base station. Become.

The detailed description given for the embodiments of FIGS. 9-12 relates to the procedure for initial connection establishment. It will be appreciated that a similar approach can be used when the decision to split the U-plane and C-plane is made at a later stage. For example, a mobile communication device may engage in one type of user plane communication provided by a macrocell (e.g., Voice over IP "VoIP") and then engage in a different form of user plane communication provided by a picocell (e.g., Web browsing session), it may be necessary to initiate a C-plane/U-plane split. In this case, an S1 UE context change (with a corresponding response) can be used to provide appropriate security information to the pico base station (similar to the process in Figure 9). Similarly, a new X2 message (with a corresponding response) may be provided (eg, an X2-AP context change message) (similar to the process in any of FIGS. 10-12). Furthermore, the RRC signaling used to provide the mobile communication device with appropriate security information (if the security parameters have changed) and/or an indication that a split has occurred may include an RRC reconfiguration message (with a corresponding response). It can be a message like this.

Although specific new X2-AP messages (X2-AP Context Setup and X2-AP Context Setup Response) have been described, any suitable - It will be appreciated that AP messages can be used.

Furthermore, although information such as _KeNB is shown to be exchanged via the ” interface).

The RRC security mode command message contains information indicating that the U-plane and C-plane are to be split (e.g., in the form of a dedicated information element (IE), a modified IE, or reuse of an existing IE). However, an indication that the U-plane and C-plane are split may (instead or in addition) be sent to the mobile communication device in a NAS message, such as a NAS Security Mode Command message. It is also possible to notify.

Information elements included in such messages typically include, for example:
- Security key IE for messages from macro base station to pico base station (can be used in the procedures of FIGS. 10-13 or for the key change in progress procedure).
° This can be KeNB or Next Hop (NH).
In the case of the embodiment of FIG. 10, for example, it may be a macro _KeNB .
° In the case of the embodiment of Figure 12, it may be the macro K _eNB ^* .
° In the case of dual AKA in Figure 13, it can be the pico _KeNB for the new AKA.
- UE Security Capabilities IE for messages from macro base station to pico base station (e.g. indicating changes in security capabilities)
Kupenc key change IE for messages from pico base station to macro base station (indicating that intra-cell handover procedure is required during PDCP COUNT rollover)

With reference to the timing diagrams, it will be appreciated that in many cases message transmissions need not follow the specific order shown, but can follow any logical order.

Referring to FIG. 9, as an example, a pico base station and a macro base station are used to initiate AS security context configuration (S934, S936) and resulting U-plane and C-plane key derivation (S938, S940). Although the S1-AP messages sent to are shown as occurring in a particular order (for clarity of illustration), they may occur in any suitable order or simultaneously, as appropriate. Those skilled in the art will understand that there are Specifically, for example, the start of security context initialization and key derivation at the pico base stations 5-2 and 5-3 (S934, S938) corresponds to the security context initialization and key derivation at the macro base station 5-1. may occur entirely before, entirely after, or substantially simultaneously with the initiation of (S936, S940). Similarly, an associated S1-AP response message may be sent at any suitable time after successful security context initialization.

Additionally, in FIG. 9 a replica of only one S1-AP message (S1-AP initial context configuration) is shown to be sent to the pico base station in order to provide appropriate security parameters, e.g. It will be appreciated that the pico base station may be provided with a copy of any suitable S1-AP message conveying security parameters, including messages and the like.

In connection with the dual AKA procedure described with reference to FIG. 13, there may also be a scenario in which the pico base station is not an E-UTRAN base station, but instead connects to a non-EUTRAN or even a non-3GPP network. That will be understood. In this case, the non-3GPP network can perform its own security procedures for the user plane, while the macro base station still performs the 3GPP security procedures, thereby resulting in a non-3GPP network for the user plane. A 3GPP security context is created and a 3GPP security context for the control plane is created.

Although the communication system 1 has been described with respect to a base station 5 operating as a macro or pico base station, the same principles apply to base stations operating as femto base stations, relay nodes providing elements of base station functionality, or It will be appreciated that it can be applied to other such communication nodes.

In the above embodiments, a mobile phone-based communication system has been described. As those skilled in the art will appreciate, the signaling techniques described in this application can be used in other communication systems. Other communication nodes or devices may include, for example, user devices such as personal digital assistants, laptop computers, web browsers, and the like. As those skilled in the art will appreciate, it is not necessary that the relay system described above be used for a mobile communication device. The system can be used to extend base station coverage in networks with one or more fixed computing devices, along with or in place of mobile communication devices.

In the embodiments described above, the base station 5 and the mobile communication device 3 each include a transceiver circuit. Typically, this circuit is formed by dedicated hardware circuitry. However, in some embodiments, portions of the transceiver circuitry may be implemented as software executed by a corresponding controller.

In the embodiments above, multiple software modules have been described. As will be understood by those skilled in the art, those software modules can be provided in compiled or uncompiled form and supplied to a base station or relay station as a signal over a computer network or on a storage medium. can do. Furthermore, the functions performed by some or all of this software may also be performed using one or more dedicated hardware circuits.

Various other modifications will be apparent to those skilled in the art and will not be discussed in further detail here.

This application claims priority from UK Patent Application No. 1300884.2, filed on 17 January 2013, the entire disclosure of which is incorporated herein by reference.

Claims (7)

A second base station,
controller and
a transceiver configured to communicate with user equipment (UE) configured to connect to a first base station and the second base station simultaneously;
Equipped with
The controller includes:
controlling the transceiver to receive a security key for the second base station derived by the first base station from the first base station that provides control plane signaling to the UE;
deriving a user plane security key for use in protecting user plane traffic between the UE and the second base station using the security key of the second base station;
controlling the transceiver to provide user plane communications using the user plane security key;
controlling the transceiver to send a first message related to a security key update to the first base station when a Packet Data Convergence Protocol (PDCP) count is about to wrap around;
the second base station derived by the first base station using the first base station's security key while the UE is connected to the first base station and the second base station; controlling the transceiver to receive a second message from the first base station for delivering an updated security key for the station;
deriving an updated user plane security key using the updated security key of the second base station;
using the updated user plane security key to protect user plane traffic between the UE and the second base station;
It is configured as follows.
Second base station. the controller is configured to control the transceiver to receive the updated security key of the second base station on an X2 interface;
The second base station according to claim 1. the user plane security key includes K _UPenc ;
The second base station according to claim 1. the controller is configured to control the transceiver to receive the security key of the second base station in a context change message;
The second base station according to claim 1. A first base station,
controller and
a transceiver configured to communicate with user equipment (UE) configured to connect to the first base station and the second base station simultaneously;
The controller comprises:
deriving a security key for the second base station capable of deriving a user plane security key for protecting user plane traffic between the UE and the second base station;
controlling the transceiver to provide control plane signaling to the UE;
controlling the transceiver to transmit the security key of the second base station to the second base station providing user plane communications to the UE;
controlling the transceiver to receive a first message related to a security key update from the second base station when a Packet Data Convergence Protocol (PDCP) count is about to wrap around;
While the UE is connected to the first base station and the second base station, the security key of the first base station is used to update the updated security key of the second base station. Derive,
delivering the updated security key of the second base station from which an updated user plane security key for protecting user plane traffic between the UE and the second base station can be derived; controlling the transceiver to transmit a second message of: to the second base station;
It is configured as follows.
First base station. A method performed by a second base station, the method comprising:
receiving from a first base station providing control plane signaling to user equipment (UE) a security key for the second base station derived by the first base station;
deriving a user plane security key for use in protecting user plane traffic between the UE and the second base station using the security key of the second base station;
providing user plane communications to the UE using the user plane security key;
transmitting a first message related to a security key update to the first base station when a Packet Data Convergence Protocol (PDCP) count is about to wrap around;
the second base station derived by the first base station using the first base station's security key while the UE is connected to the first base station and the second base station; receiving a second message from the first base station for delivering an updated security key for the station;
deriving an updated user-plane security key using the updated security key of the second base station; and transmitting the updated user-plane security key between the UE and the second base station. for use in protecting user plane traffic to and from stations;
How to prepare. A method performed by a first base station, the method comprising:
deriving a security key for a second base station capable of deriving a user plane security key for protecting user plane traffic between a user equipment (UE) and the second base station;
providing control plane signaling to the UE;
transmitting the security key of the second base station to the second base station that provides user plane communications to the UE;
receiving a first message related to a security key update from the second base station when a Packet Data Convergence Protocol (PDCP) count is about to wrap around;
While the UE is connected to the first base station and the second base station, the security key of the first base station is used to update the updated security key of the second base station. deriving the updated user plane security key of the second base station from which an updated user plane security key for protecting user plane traffic between the UE and the second base station can be derived; transmitting a second message to the second base station for delivering a security key;
How to prepare.

Images